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We give new arguments in support of signed quantum key establish- 
ment, where quantum cryptography is used in a public-key infrastruc- 
ture that provides the required authentication. We also analyze more 
thoroughly than previous works the benefits that quantum key estab- 
lishment protocols have over certain classical protocols, motivated in 
part by the various objections to quantum key establishment that are 
sometimes raised. Previous knowledge of quantum cryptography on 
the reader's part is not required for this article, as the definition of 
"quantum key establishment" that we use is an entirely classical and 
black-box characterization (one need only trust that protocols satisfy- 
ing the definition exist). 

Quantum cryptograph)^] has been promoted as a more secure alterna- 
tive to public-key cryptography based on computational assumptions (see 
the abstract of Ref. [T] for a typical example). However, an opposing view 
is sometimes voiced by classical cryptographers and computer security spe- 
cialists questioning whether quantum cryptography is really a practical way 
to achieve security against quantum computers, also known as quantum re- 
sistance. Several detailed analyses have appeared that consider the benefits 
and disadvantages of quantum cryptography in comparison to classical alter- 
natives [21 El HI [5] . The present article contributes to the dialogue in a way 
that we hope is very palatable to the community of quantum-questioning 
cryptographers: we give new arguments in support of signed quantum key 
establishment, where quantum cryptography is used in a public-key infras- 
tructure that provides the required authentication. 

We also analyze more thoroughly than previous works the benefits that 
quantum key establishment (qke) protocols have over certain classical pro- 



1 Note that quantum cryptography includes many protocols that this paper does not 
discuss. We use the term "quantum cryptography" here as a synonym for "quantum key 
establishment" , often called "quantum key distribution" or "qkd" . 
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tocols, motivated in part by the various objections to QKE that have been 
put forward (for example, in Ref. [5]). Some of those objections follow!! 

• Objection 1: Quantum computers are not known to be able to break 
all classical public-key cryptosystems, such as the McEliece cryptosys- 
tem or those based on lattice problems; so we can just upgrade to these 
quantum-resistant cryptosystems and forget quantum cryptography — 
that way, we'd retain all the benefits of a public-key infrastructure. 

• Objection 2: If all of classical public-key cryptography is found to 
be easily breakable, then we might as well revert to using our best 
symmetric- key cryptography, including block ciphers like AES, which 
we all agree is quantum resistant; quantum cryptography would require 
symmetric shared initial keys anyway in this case, so it wouldn't gain 
us anything. 

• Objection 3: We don't need any means of key distribution, let alone 
a quantum mechanical one — let's just exchange a lifetime's worth of 
symmetric keying material at the start. If for whatever reason we do 
need new keys, see Objection 4. 

• Objection 4: We don't need any means of generating independent se- 
cret key over telecommunication links — let's just use a trusted courier 
each time we need independent secret key. 

We address all of these objections. 

Not quantum cryptography again. Like in pro-quantum-cryptography 
articles that have come before this, we assume here that the universe is 
quantum mechanical, so that, at a minimum, the secret key generated by 
a secure key-establishment protocol must be secure against an adversary 
able to perform probabilistic-polynomial-time computations on a quantum 
computer. As well, as stated by Stebila et al. [I], we "expect the costs and 
challenges of using [qke] to decrease to the point where [such] systems can 
be deployed affordably and their behaviour can be certified." In fact, most 
of the advantages of quantum cryptography that we point out here have 
been noted by Paterson et al. [2] or Stebila et al. [I]. 

Despite these similarities to previous works, our analysis contains dis- 
tinct new features: it 

2 We have stated these objections in our own words. 
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• suggests a new way to define the classes of classical and QKE protocols, 
in order to aid their comparison, 

• deals properly with the option of using trusted couriers instead of QKE, 
by distinguishing between in-band and out-of-band actions, 

• uses the weakest possible notion of "security" in a quantum universe 
(i.e. computational security), and therefore does not focus on information- 
theoretic security — for its own sake — as an advantage of QKE over 
computationally-secure classical alternatives, 

• provides a finer-grained analysis of the computational assumptions 
underlying the classical alternatives to QKE, 

• highlights a property (we call it "nonattributability" ) of QKE that has 
received little attention in the literature, and 

• supports a recommendation that is both theoretically and practically 
sound, which both sides of the "quantum debate" can agree upon. 

Generally, we hope the reader finds this article to benefit from a more precise 
cryptographic analysis, despite its more limited scope in taking an idealized 
view and thus not discussing the more technological or economical aspects of 
qke (including side-channel attacks). In other words, this paper studies the 
value of the qke primitive assuming it is available in practice and is as cost- 
effective as any type of "in-band" classical key establishment (see Definition 
[UH We adopt the same foundational approach that Goldreich does in Refs. 
[TIE]- This basically means that, when reviewing which computational as- 
sumptions are known to be necessary or sufficient for certain cryptographic 
primitives, we ignore those assumptions (and the schemes based on them) 
that are ad hoc: we deal only in fundamental computational assumptions, 
in particular, one-way functions and trapdoor predicates. 

But the foregoing analysis is not as complete as it could be. In particu- 
lar, we do not treat the distributed authenticated key establishment problem 

3 The practical availability of the QKE primitive between a typical real-world Alice and 
Bob is a very non-trivial assumption. For a fairly recent status report on practical QKE 
systems, one can see Ref. [B], where it is evident that key-rate, distance and availability 
remain serious obstacles for most practical applications today. In the cases that one 
believes that QKE could in principle add value, one will need to do an in depth analysis 
of the various costs and practical limitations before deciding whether in some particular 
practical situation QKE will be the preferred alternative. Weighing the costs against the 
value depends on many parameters which vary widely from place to place and over time, 
and analyzing this broad spectrum is beyond the scope of this paper. 
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(i.e., in a network setting and where simultaneous, multiple key establish- 
ment sessions among many pairs of users are considered) as rigorously as it 
deserves (e.g. [91 [TO]). That is, we implicitly assume that point-to-poin^ 
unauthenticated key establishment protocols (whether they be key trans- 
port protocols or key agreement protocols^]) and message-authentication 
protocols (whether they be digital signature schemes or message authen- 
tication codes) may be combined in such a way as to form robust dis- 
tributed authenticated key establishment protocols, without stating the de- 
tails of how this combining — especially with regard to authentication — 
actually works This deficiency is manifest in the definition of "security" 
that we use (Definition [2]) : it only refers to privacy of the secret key and not 
its integrity; we take authentication in a network-setting for granted (for 
both classical and quantum networks). Thus, analyzing point-to-point key 
establishment systems is sufficient for our scope and, for such systems, in- 
tegrity of the established secret key is obtained either by assumption (in the 
case of unauthenticated key establishment) or by the message-authentication 
protocols used to authenticate the classical communication channel (in the 
case of authenticated key establishment). Our omission of the analysis of 
distributed QKE in no way is meant to imply that the problem is trivial — we 
believe it is an important open problem, which to our knowledge has not 
been addressed in any previous works. 

As a final note to the reader, we stress that previous knowledge of quan- 
tum cryptography is not required for this article. The definition of "qke" 
that we use is an entirely classical and black-box characterization (one need 
only trust that protocols satisfying the definition exist). 



Key establishment. We are ultimately interested in authenticated key 
establishment (or ake), since, in practice, it is usually not a reasonable 

4 By "point-to-point" protocols or key establishment systems we mean those that pre- 
sume a unique pair of honest participants in the protocol; in other words, Alice and Bob 
are fixed. 

5 Recall that a key transport protocol is a key establishment protocol where the final 
secret key is generated by one party and sent to the other party (using some kind of 
encryption mechanism). By contrast, a key agreement protocol is a key establishment 
protocol where both parties contribute to the generation of the final secret key. See Ref. 
[11] for more details. 

6 We follow Ref. [TT] in our use of the terms "authenticated (key establishment)" and 
"unauthenticated (key establishment)". In this convention, the word "(un)authenticated" 
describes the guaranteed condition of the final shared key resulting from the protocol. We 
note that this convention is the opposite of that in Ref. [8], where "(un)authenticated" 
describes the a priori assumption on the (classical) communication channel used in the 
protocol. 
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assumption that the classical channel connecting Alice and Bob is authenti- 
cated a priori. But we shall also consider unauthenticated key establishment 
(or uke), because, as well as being useful as a building block for AKE sys- 
tems, it is an often-considered cryptographic primitive in more foundational 
works, e.g., Ref. |12j (see Remark[2J). We now make some precise definitions. 

A (point-to-point) AKE system consists of two probabilistic-polynomial- 
time (quantum) computers, called "Alice" and "Bob", that 

• are preloaded with classical initial keys, kA (stored on Alice) and ks 
(stored on Bob), which are pre-distributed out of band (see Definition 
[T]) in an authenticated and, where necessary (for example, when the 
keys are symmetric), private fashion, and 

• are connected by two insecure channels, one quantum and one classi- 
cal, variously monitored or controlled by an adversarial probabilistic- 
polynomial-time (quantum) computer, called "Eve", and 

• together execute a particular (point-to-point) ake protocol, the spec- 
ification 7r of which is preloaded authentically but is not secret, and 

• which results in Alice and Bob computing outputs sa and sb, respec- 
tively, such that either sa = sb = -L, which corresponds to Alice and 
Bob aborting the protocol, or sa and sb are bit-strings, in which case, 
if sa = sb, then the secret key s := sa is defined. 

When the initial keys are symmetric (A; a = ks), we may use k to denote 
each one, i.e., k = kA = ks', if the initial keys are asymmetric {kA 7^ ks), 
then 



where (xa, 2/a) is Alice's private-public key-pair and (xb,Vb) is Bob's private- 
public key-pair. We will say more about asymmetric (public-key) cryptog- 
raphy later on. 

Definition 1 (In band/out of band). The term "in band" describes actions 
carried out in the normal course of telecommunications strictly via remote 
signalling across communication channels. The term "out of band" is used 
to mean "not in band" and describes communication via non-digital/manual 
means as opposed to via standard telecommunication devices. 



kA 
k B 





(x b ,Va) 
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Remark 1 (Classical channel). Strictly speaking, there is no need for a 
dedicated classical channel between Alice and Bob, since classical informa- 
tion can be sent along the quantum channel. However, the well-known QKE 
protocols (i.e., those based on the ones in Refs 1131 \14V clearly distinguish 
the classical from the quantum communication; in particular, it suffices that 
only the classical communication is authenticated in order for the secret key 
to be authenticated at the end of the protocol (whereas, one could imagine 
a quantum protocol where the quantum communication also needs to be au- 
thenticated). In line with this distinction, we assume separate quantum and 
classical channels. 

A (point-to-point) uke system is denned similarly to an AKE system, 
with only the following differences: 

• Alice and Bob possess no initial keys and 

• the classical channel is assumed to be authenticated, i.e., Eve is as- 
sumed only to passively monitor the classical channel (but she can still 
totally control the quantum channel), and 

• 7r is a (point-to-point) UKE protocol. 

We also need to define conditions under which a key establishment proto- 
col is secure or, more specifically, quantum-resistant. We would like a defini- 
tion that applies equally well to both quantum and fully classical protocols, 
i.e., all protocols allowed in the above frameworks. Since we take authenti- 
cation for granted (as explained above), the following security definition is 
sufficient for both ake and UKE systems. Call a key establishment protocol 
perfectly secure if, for any algorithm for Eve, we have that (1) sa = sb, (2) 
if sa 7^ -L then sa is uniformly distributed and independent of Eve's state, 
and (3) if Eve does not interfere with the protocol (where we assume oth- 
erwise perfect channels), then sa 7^ -L. Let I be an ideal key establishment 
system that implements a perfectly secure protocol. Let 7Z(ir) be a real key 
establishment system that uses protocol tt. Let n be the minimum length 
of the secret key s if Alice and Bob do not abort. Consider a probabilistic- 
polynomial-time (quantum) distinguisher running in time polynomial in n, 
that interacts with either X or H(ir) and then outputs a guess bit B; the 
distinguisher has access to Eve's system and the outputs sa and s#. 

Definition 2 (Quantum-resistant key-establishment protocol (with respect 
to privacy)). Assuming the above definitions, a point-to-point key-establishment 
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protocol 7r is quantum-resistant (with respect to privacy) if, for any such dis- 
tinguisher, the quantity 

| Pr[£ = - Pr[B = 1\K(tt)}\ (3) 

is negligible for all sufficiently large n, where Pr[B = and Pv[B = 
l\H(ir)] are the probabilities that B = 1 when the distinguisher interacts 
with I and TZ(tt), respectively. 

We give this (semi- formal) definition for completeness; we refer the reader 
to Refs \15\ [To] [T7] for how to rigorize such a definition. 

As a final specification of our basic setup, it will be helpful to define 
the classical communication c in a key establishment protocol. For classi- 
cal protocols, the classical communication is all the communication between 
Alice and Bob. For arbitrary (quantum) protocols, defining the classical 
communication is a bit more subtle; we refrain from giving a formal defini- 
tion here (for the sake of the reader who may be unfamiliar with quantum 
measurement). Rather, for the quantum protocols we care about, it suffices 
to define the classical communication tautologically as the classical commu- 
nication specified in the protocol, since these protocols clearly and naturally 
distinguish the classical and quantum information sent between Alice and 
Bob. 

The contenders. Below are listed and defined two main classes of point- 
to-point uke protocols as well as the five main classes of point-to-point ake 
protocols that are considered in the literature when evaluating the useful- 
ness of quantum cryptography in comparison to classical techniques for key 
establishment. These classes, as defined, do not cover all conceivable pro- 
tocols, but do cover all the ones that are usually considered (which suffices 
here). In defining these classes, we restrict to quantum-resistant protocols 
(because the universe is quantum). It will help to view the quantities )za, 
ks, k, s, and c introduced above as random variables. For example, in the 
case of symmetric initial keys, the quantity k may be viewed as a uniformly 
distributed random variable in {0, 1}^, for some fixed I G Z >0 that deter- 
mines the length of the initial keys. 

Unauthenticated key establishment protocols: 

• Classical uke (c-UKE) — This class includes any quantum-resistant 
and totally classical uke protocol. It includes unauthenticated key 
transport protocols based on public-key encryption (but not those 
based on symmetric-key encryption). 
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• Quantum uke (q-UKE) — This class includes any quantum-resistant 
UKE protocol such that, whenever Eve has not interfered with the 
protocol, the secret key s is independent of the classical communication 
c, i.e., for all values d of the classical communication and all values s' 
of the secret key, 

Pr[s = s'\c = d) = Pr[s = s']. (4) 

It includes the well-known QKE protocols and can easily be shown not 
to include any classical protocols^ 

Remark 2 (Secret key agreement). The cryptographic primitive realized 
by protocols in c-UKE is usually referred to as secret key agreement (or 
sometimes just secret agreement ) in the literature. Note that this primitive 
is also realized by protocols in q-UKE. 

Authenticated key establishment protocols: 

• Out-of-band key establishment (OOB) — This class includes any ake 
protocol where Alice and Bob are preloaded with the secret key out of 
band, i.e., 

s = k A = k B . (5) 

It includes protocols that employ a trusted courier. The initial keys in 
such protocols are typically much larger than in protocols belonging 
to the classes below. 

• Pseudorandom generator expansion (PGE) — This class includes any 
quantum-resistant and totally classical ake protocol not in OOB that 
uses symmetric initial keys where Alice and Bob establish a secret key 
that is efficiently computable from the initial keys, i.e., there exists a 
deterministic-polynomial-time classical algorithm A such that 

s = A(ir,k). (6) 



7 We sketch a proof of the latter fact that no purely classical protocol can be quantum 
resistant and satisfy Let ta and rg be binary strings encoding the private local 

randomness that Alice and Bob respectively use in the protocol. Consider the sequence 
Ci, C2, . - . of messages passed between Alice and Bob. Each Cj places constraints on the 
values of r\ and tb- Since, at the end of the protocol, the secret key s is uniquely 
determined, it must be that ta and tb are determined by the classical communication c 
up to implying a unique s, i.e., H(s\c) — 0, where H is the Shannon entropy. For any two 
random variables X and Y, H(X\Y) = H(X) if and only if X and Y are independent 
[18] . Therefore, if (2} holds, then H(s) = H(s\c) = 0, so that s is a constant and thus the 
protocol is not quantum resistant. 
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It includes protocols that use a pseudorandom generator to expand 
the initial keys into a secret key. 



• Weak classical ake (wc-AKE) — This class includes any quantum-resistant 
and totally classical ake protocol in neither PGE nor 00B that uses 
symmetric initial keys. Note such protocols have the property that the 
secret key is efficiently computable from the initial keys and the com- 
munication, i.e., there exists a deterministic-polynomial-time classical 
algorithm A such that 



The class includes authenticated key transport protocols based on 
symmetric-key encryption. 

• S'ironj^ classical ake (sc-AKE) — This class includes any quantum- 
resistant and totally classical ake protocol, where Alice and Bob estab- 
lish an authenticated secret key s that is not functionally dependent on 
the initial keys k A and ks, he., there exists a deterministic-polynomial- 
time classical algorithm A such that 



where r A and tb are (random variables representing) the private local 
random choices of Alice and Bob respectively (made independently 
of the initial keys). It includes authenticated key transport protocols 
based on public-key encryption (but not those based on symmetric-key 
encryption); more generally, it includes the "authenticated version" of 
any quantum-resistant uke protocol, where the initial keys are used 
(only) to authenticate all the communication of the protocol (see Re- 
mark [7J) . 

• Quantum AKE (q-AKE) — This class includes any quantum-resistant 
ake protocol such that, whenever Eve has not interfered with the 
protocol, the secret key s is independent of the initial keys and the 
classical communication c, i.e., for all values k' A and k' B of the initial 

8 Our use of the word "strong" differs from that in Ref. [TS], where a key establishment 
protocol is secure only if it remains secure under the reveal of any subset of the initial 
(also called "long-term") and ephemeral keys that does not contain both the initial and 
ephemeral keys of one of the parties. The protocols of the class we define here need only 
remain secure under the reveal of the initial keys. Indeed, the "strong" of Ref. [19] is 
stronger than ours. 




(7) 



s = A{-K,r A ,r B ), 



(8) 
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keys and all values d of the classical communication and all values s' 
of the secret key, 



Pr[s = s'\kA = k' A , ks = k' B , c = c] 



Pr[s = s']. 



(9) 



It includes the authenticated version of the well-known qke protocols 
and can easily be shown not to include any classical protocols (similarly 
to the class q-UKE, defined previously). 

Remark 3 (Possible emptiness of classical classes). Of the classes of in- 
hand key establishment protocols, only q-UKE and q-AKE are known to be 
nonempty. 

Remark 4 (Key pre-distribution v. dynamic key establishment). The union 
of the classes 00B and PGE contains protocols referred to collectively as 
key pre-distribution schemes f77] /. which is why we label these two classes 
differently. Note that there is no need to authenticate the in-band commu- 
nication in these protocols because there is none. Protocols that are not key 
pre-distribution schemes are said to accomplish dynamic key establishment. 

Remark 5 (Definition of sc-AKE). The class sc-AKE may contain protocols 
that use the "quantum public-key crypto systems" in Ref. 120^ . since the 
model does not stipulate how initial keys are derived (i.e., they could be 
derived using a quantum computer). 

Remark 6 (Definition of q-AKE). The class q-AKE may contain protocols 
obeying physical theories other than quantum theory. 

Remark 7 (uke implies ake). Note that if n is in c-UKE, then ir naturally 
gives rise to a protocol in sc-AKE when combined with a secure classical 
message-authentication protocol. A similar statement holds for q-UKE and 



We subdivide the classes sc-AKE and q-AKE by the type of initial 
keys — either symmetric or public — used in the particular key establishment 
protocol, i.e., we have the following disjoint unions 



q-AKE. 



sc-AKE = sc-AKE sym U sc-AKE pub 
q-AKE = q-AKE sym Uq-AKE pub . 



(10) 
(11) 



Table 1 summarizes the different classes by the various categories. 
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UKE 


AKE 




key pre-distribution 




00B 


out-of-band 




PGE 


in-band 


dynamic 




wc-AKE 




key establishment 


c-UKE 


sc-AKE 






q-UKE 


q-AKE 





Table 1: The different classes of key establishment protocols. 



Apples and Oranges. The class 00 B is included in the above list (and 
in the following analysis) largely for completeness; it is not technically con- 
sidered a key establishment protocol. Out-of-band protocols for key estab- 
lishment need not employ any fundamental cryptographic primitives and 
cannot provide the same essential functionality that in-band protocols do, 
i.e., generating new secret key in band. The generally accepted view is that 
out-of-band key establishment is the most secure way to establish potentially 
very long secret keys, but that well-implemented in-band protocols typically 
provide either a more feasible solution in particular applications or a more 
cost-effective solution in the long term. Because we are making the (reason- 
able) assumption that qke will be cost-effective in the future, it reasonably 
follows that, in at least some cases, it will also be more cost-effective than 
out-of-band key establishment in the future. We mean to challenge here 
previous comments made by Bernstein [5], that trusted couriers perform 
equally as well as qke systems insofar as their ability to generate entropy 
in the cryptographic system (from Eve's point of view). The distinction 
between in-band and out-of-band entropy generation is an important one 
(cost-wise), and it is impossible to generate entropy in band using classical 
cryptography alone. 

Computational assumptions. We would like to closely examine the fun- 
damental computational assumptions that underlie the various kinds of key 
establishment protocols. To do this, we start by recalling the following well- 
known theorems]^] 



9 The following theorems and other similar statements should be interpreted as follows. 
A statement of the form "Cryptographic objects of type Y exist if cryptographic objects 
of type X exist" means "If there exists an object of type X, then there exists an object of 
type Y such that breaking the object of type Y implies breaking the object of type X." 
Such a statement may also be phrased, l X implies Y" . 
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Theorem 8 Q7j). Pseudorandom generators exist if and only if one-way 
functions exist. 

Theorem 9 ([8]). Symmetric-key encryption schemes exist if and only if 
one-way functions exist. 

Theorem 10 (|21j). Public-key encryption schemes exist if and only if trap- 
door predicates exist. 

Theorem 11 (|22j). Information-theoretically-secure symmetric-key mes- 
sage authentication codes exist. 

Theorem 12 ( \23\ I24j). Public-key signature schemes exist if and only if 
one-way functions exist. 

Theorem 13 (|25|). Information-theoretically-secure q-\JKE-protocols exist. 

Because we are assuming a quantum universe, one-way functions and trap- 
door predicateJ^l in this article (if they exist) are secure against an adversary 
with a quantum computer, but are still assumed to be efficiently computable 
on a classical computer; also, trapdoors are still considered to be classical 
objects0 We also note that Theorems I8ll9l [TOl and CQ] hold with respect to 
black-box reductions: if the theorem states that X implies Y, then Y can be 
constructed from X, only using X as a black box, i.e., the reduction does 
not rely on the specifics of how X works; furthermore, the security reduction 
is also a black-box one, i.e., an algorithm for breaking X can be constructed 
from a black box for breaking Y. Non-black-box theorems of this sort are 
also possible (for example, see Ref. [27]), but are rarely required for these 
kinds of results, and indeed are not required for the theorems we quote. This 
is lucky, since it guarantees us that the theorems still hold with respect to 
a quantum universe. 

The theorems establish the minimal fundamental computational assump- 
tions known to be sufficient for the existence of protocols by class, sum- 
marized in Table 2. Public- key encryption implies one-way functions [8]. 

10 Informally, the predicate B(x) £ {0, 1} is a(n) (unapproximable) trapdoor predicate if 
anyone can find an x such that B(x) = or a y such that B(y) = I efficiently on a classical 
computer, but only one who knows the trapdoor can, given z, compute B(z) efficiently 
on a quantum computer (this notion was introduced in Ref. [21|V Note that one can use 
a trapdoor predicate for public-key encryption: the bit b is encrypted as any x such that 
B(x) = b. 

One could consider "one- way/trapdoor quantum functions", where the input and 
output of the functions are classical or quantum, and the functions only need to be com- 
putable efficiently on a quantum computer. We stick to classical one-way functions and 
trapdoor predicates that are quantum resistant, candidates of which are, e.g., the trapdoor 
predicates underlying some lattice-based cryptosystems (see Ref. for more examples). 
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Protocol class 


Computational assumptions 


OOB 
PGE 
wc-AKE 
c-UKE/sc-AKE 
q-UKE/q-AKE sym 
q-AKEp U b 


none 
one-way functions 
one-way functions 
trapdoor predicates 

none 
one-way functions 



Table 2: Minimal known fundamental computational assumptions sufficient 
for the existence of key establishment protocols in each class. 

Thus, the classes c-UKE and sc-AKE require the strongest assumption in 
the table — the existence of trapdoor predicates — which reflects the fact that 
it is not known how to construct any protocol in these classes without re- 
lying on (or implying) public-key encryption 1^1 To facilitate our discussion, 
we summarize this point as the following conjecture: 

Conjecture 14 (Classical secret key agreement implies public-key encryp- 
tion). Every protocol in c-UKE implies a trapdoor predicate (with respect to 
a possibly-non-black-box reduction). 

Safest fair comparison. Most articles on quantum cryptography that 
appeared in the 1990s and early 2000s stressed the fact that q-AKE sym (re- 
spectively, q-UKE) is the only known class of in-band AKE (respectively, 
uke) protocols that requires no computational assumptions. But implicitly 
discarding all computational assumptions in this way makes it impossible to 
have a serious discussion about the relative merits of classical and quantum 
protocols for key establishment (since any classical key-establishment proto- 
col requires some computational assumption). So, suppose we give classical 
cryptography a fighting chance: suppose we allow only the weakest compu- 
tational assumption necessary for in-band classical key establishment — one- 
way functions. 

There is good reason to do this. Trapdoor predicates seem to be in- 
herently less secure than one-way functions in general. Firstly, trapdoor 

12 One might declare Table 2 misleading, since, for example, Theorem [T^] is usually 
regarded merely as a plausibility result: the construction of a signature scheme from an 
arbitrary one-way function is relatively very inefficient. To address this issue, we note that 
reasonably practical constructions are known for pseudorandom generators, symmetric-key 
encryption schemes, and signature schemes from one-way permutations [7] [8]. Thus, even 
restricting to reasonably practical schemes, the class sc-AKE still requires the assumption 
of a primitive possessing a trapdoor property, as far as we know. 
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predicates easily imply one-way functions [Sj, whereas the converse is be- 
lieved not to be true. As some evidence for this, we note that it has been 
shown in Ref. |12] that, with respect to black box reductions (and with 
respect to a classical universe), one-way functions are not sufficient (even) 
to imply secret key agreement (see Remark [21 but we have not checked that 
this theorem holds with respect to a quantum universe — in general, such 
classical black-box no-go theorems need not). Secondly, using the equiva- 
lences stated in Theorem [9] and Theorem llOl it seems far more likely that an 
efficient algorithm would be found for breaking a public-key cryptosystem 
(i.e. computing a trapdoor predicate) than breaking a symmetric-key cryp- 
tosystem (i.e. inverting a one-way function without the trapdoor property), 
because the public-key cryptosystem possesses more structure in order to 
embed a trapdoor into the encryption "function" . Quantum computers are 
firmly believed not to be able to invert all one-way functions efficiently; we 
state this as a conjecture: 

Conjecture 15 (One-way functions exist). Quantum-resistant one-way func- 
tions (computable in polynomial-time on a classical computer) exist. 

We do not mean to suggest that quantum-resistant trapdoor predicates do 
not exist (we don't know). We do suggest, though, that the added structure 
of trapdoor predicates makes it much more likely that algorithms for the 
underlying problems will improve at a more unpredictable rate: plain one- 
way functions are less risky. 

Even allowing one-way functions, we see that QKE has advantages over 
classical systems, beyond unconditional security. 

Advantages of QKE assuming (only) one-way functions. Most of 
the advantages below have appeared elsewhere in the literature in one form 
or another, but our presentation is motivated differently. The following 
four advantages are not intended to be totally independent; indeed, each 
is just a qualitatively different consequence of the fact that the secret key 
is independent of both the initial keys and classical communication in qke 
(and that we have taken sc-AKE-protocols out of the picture). 

• Advantage 1: Improved security against reveal of initial keys 

In classical cryptography, the physical nature of a cryptosystem and 
protocol leads to the consideration of different types of attacks, some more 
serious or more technologically difficult to mount than others. Similarly, 



14 



adversaries are often categorized by their power, for example, passive adver- 
saries are considered only to be able to read certain data that is sent along 
a channel, whereas active adversaries are assumed to have complete control 
over the channel. It is also relevant to consider precisely when Eve may 
become active; a delayed adversary is one that remains passive until the key 
establishment protocol completes, but is active immediately afterwards. 

The physical nature of a QKE system leads to the consideration of new 
kinds of attacks and adversaries. Because of the two different channels used, 
Eve can now operate differently on these two channelsJll Thus an adversary 
can be defined by whether it is passive, delayed, or active on the classical and 
quantum channels respectively; e.g., (p,p) means "passive on both channels" 
and (a,d) means "active on the classical channel and delayed on the quantum 
channel" . 

With these terms in place, Table 3 shows how q-AKE-protocols have 
advantages over the other classical protocols that also assume (at most) one- 
way functions, for certain types of adversary; the table indicates whether 
secure key can be established when the initial keys have been revealed. For 
any situation where an immediate active attack is not deployed for whatever 
reason (e.g. not technologically feasible, or not a high priority at the time), a 
passive adversary who knows the initial keys loses the ability to compromise 
the secret key later should she become an active attacker later. Note that if 
"sc-AKE" appeared in the leftmost column of the table, the corresponding 
row of "yes" /"no" values would look the same as the row corresponding to 
the class q-AKE. 

Note that, in order to break a q-AKE-protocol — or, more precisely, break 
the cryptosystem that comprises the q-AKE-protocol — Eve, knowing all the 
initial keys, can mount an active and sustained "man- in-the- middle" attack; 
furthermore, for a q-AKE sym -system, the active attack must occur during the 
first instance of the protocol (as any subsequent instance will use different 
and independent initial keys). In large networks, this may pose a consider- 
able challenge for Eve, depending on when she learns the initial keys and 
whether the connections among users are fixed or ad-hoc. 

Remark 16 (Perfect forward secrecy). Note that Advantage 1 is different 
from perfect forward secrecy, a much weaker notion referring to whether 
secret keys established in past sessions (with old initial keys no longer stored 
on Alice and Bob) are secure once current initial keys are revealed. While q- 

13 We define "passive" on the quantum channel to mean having no access, since it is 
difficult to formulate a definition of "read only" for a quantum channel. Measurement, 
which seems necessary for reading, is an active process. 
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(P,P) 


(d,d) 


(a,p) 


(a,d) 


(a,a) 


OOB 


no 


no 


no 


no 


no 


PGE 


no 


no 


no 


no 


no 


wc-AKE 


no 


no 


no 


no 


no 


q-AKE 


yes 


yes 


yes 


yes 


no 



Table 3: Security against reveal of initial keys. The entries (yes/no) of the 
chart indicate whether the secret key generated from the key establishment 
protocol is secure under the reveal of either Alice's or Bob's initial key for 
the given adversary (see the main text for an explanation of the notation 
used to define the adversaries). The class sc-AKE does not appear, since we 
are not assuming trapdoor predicates (and there is no known sc-AKE-scheme 
that does not imply trapdoor predicates). 

AKE-protocols certainly have perfect forward secrecy, Bernstein JE/ has noted 
that well-implemented PGE-protocols do, too. 

• Advantage 2: Reduced dependence on out-of-band actions 

Because a q-AKE sym -protocol generates secret key that is independent of 
the initial keys and the classical communication, initial keys can be smaller 
in the q-AKE sym -protocol than in an OOB-protocol, i.e., less initial entropy 
is needed to prime the system. Also, a q-AKE sym -system may require fewer 
subsequent out-of-band actions for refreshing initial keys, compared to PGE- 
and wc-AKE-systcms (at the very least because the latter are more vulner- 
able to initial- key-reveal attacks — see above). 

• Advantage 3: Reduced dependence on trusted third parties 

In a network, key establishment can be done in a mediated fashion, via a 
trusted key distribution centre, whose job is to give session keys to Alice and 
Bob so that they may communicate securely. As part of the setup, every user 
in the network, including Alice and Bob, shares an initial key (established 
out of band) with the key distribution centre; in principle, these initial keys 
may be asymmetric or symmetric. An example of such a system is Kerberos, 
where the initial keys are symmetric, and, upon request by either Alice or 
Bob, the key distribution centre generates a symmetric key and sends it 
(encrypted using the initial keys) to Alice and Bob, who then use it to 
encrypt and decrypt messages between each other. 

Quantum key establishment may also be done in a mediated fashion, 
so that the channels connecting Alice to Bob go through a key distribution 
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centre, which gives Alice and Bob a session key to be used as a symmetric 
initial key in a q-AKE sym -protocol. 

If trapdoor predicates are not assumed to exist, then any classical me- 
diated key establishment system must use symmetric initial keys; this is 
because the key distribution centre must send keys to Alice and Bob, and 
these keys must be, at least partially, encrypted (assuming the key distri- 
bution centre is not to play an active part in the communication between 
Alice and Bob). Similarly, the session keys must be symmetric keys, too. 

Comparing any classical mediated key establishment system to one where 
Alice and Bob use their symmetric session keys as initial keys in a q-AKE sym - 
protocol, we see that, in the quantum case, Alice and Bob do not need to 
trust the key distribution centre after their key establishment protocol is 
complete. By contrast, in the classical case, the key distribution centre 
must always be trusted, since it knows the keys that Alice and Bob use 
to communicate securely. As well, Alice and Bob may be able to decouple 
themselves completely from the key distribution centre after their first q- 
AK E sym -session. Thus, any compromise of the key distribution centre after 
the first q-AKE sym -session does not necessarily affect Alice and Bob. 

• Advantage 4: Long-term security from short-term security 

The secret key generated by any q-AKE-protocol will be information- 
theoretically secure even if the authentication algorithm is broken in the 
short term — as long as the break occurs after the key establishment proto- 
col is completed. We may refer to this as "conditional information-theoretic 
security" . This allows for the use of authentication algorithms that are per- 
haps less secure in the long term but are easier to manage with regard to 
initial keys, i.e., public-key algorithms. Note that any q-AKE pu b-system has 
the extra advantage over a q-AKE sym -system that it is less susceptible to 
running out of authentication key due to noise or eavesdropping, because 
there is no practical limit on how many classical messages may be authen- 
ticated. In other words, using public-key authentication guards against at 
least one type of denial-of-service attack. 

Also, Alice and Bob may not need to rely on the same type of authentica- 
tion used for the first q-AKE-session for subsequent q-AKE-sessions, i.e., for 
the first session, Alice and Bob may execute a q-AKE pu t,-protocol, but, for 
all subsequent sessions (in principle, i.e., in the absence of sufficiently heavy 
adversarial action or noise), they may execute a q-AKE sym -protocol. Two 
potential advantages of such a two- phase system are that (1) subsequent key 
establishment sessions may run faster (since the symmetric-key algorithms 
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may be more efficient than public-key algorithms for the required level of 
security) and (2) subsequent key establishment sessions may not need to 
rely on any computational assumptions. 

If quantum computers can be assumed not to exist in the short term, i.e., 
for the service-lifetime of the public keys, then one can even use public-key 
signature schemes whose security relies on the assumption of hardness of 
factoring and the discrete logarithm problem for classical computers. 

We believe that its ability to derive long-term from short-term security, 
also known as everlasting security^^ may be the most attractive aspect of 
qke systems from a security perspective. 

The baby... The advent of public- key cryptography revolutionized secure 
telecommunications, by vastly simplifying the problems of key distribution 
and key management: Alice and Bob no longer needed to pre-share a sym- 
metric key. Instead, Alice could publish her own public key, and that would 
be sufficient for her to receive encrypted messages from anyone who got a 
hold of it. 

Of course, "publishing" a public key is easier said than done, but public- 
key cryptography helps solve this problem, too. A signature scheme can 
be used in conjunction with a network of trusted third parties to help Bob 
be certain that he has Alice's legitimate public key@ This is probably the 
reason Rivest [31] wrote, "The notion of a digital signature may prove to be 
one of the most fundamental and useful inventions of modern cryptography." 

...the bathwater. There is a price to pay for the advantages of a public- 
key infrastructure. Security necessarily depends on assumptions about the 
hardness of certain mathematical problems; proofs that such problems are 
actually hard seem to be beyond the reach of theoretical computer scientists. 

14 The term "everlasting security" has been used in the context of the bounded storage 
model (see, e.g., Ref. [28]), where, e.g., it describes the case where encryption is secure 
even if the adversary, at some later time, learns the pre-shared symmetric key, as long as, 
at the time of transmission of the ciphertext, the adversary has bounded storage capability 
(see Ref. [29]). The term seems equally well suited to QKE. 

15 On the Internet, this works as follows. Bob's web-browser comes from the manufac- 
turer pre-loaded with the public key of a trusted third party Charlie. When Bob wants to 
communicate with Alice, she shows Bob a certificate which contains her purported public 
key and Charlie's signature of the certificate, which also contains Alice's name (and other 
uniquely identifying and publicly-agreed-upon details about Alice). Bob checks that Al- 
ice's public key is valid by verifying Charlie's signature using the pre-loaded public key. 
In this context, signature schemes are said to offer "manageable persistence" (via digital 
signature) of the binding of a name and a key [30] . 
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After Peter Shor discovered an efficient quantum algorithm for factoring 
and computing discrete logarithms in 1994, qke protocols, the earliest of 
which dates back to 1984, received renewed interest. Most literature on qke 
that appeared in the 1990s and early 2000s focussed on protocols in the class 
q-AKE sym . And rightfully so: it is remarkable that symmetric initial keys can 
be expanded into much larger, independent, and information-theoretically 
secure secret keys in band by exploiting quantum mechanics. As such, these 
articles, through their reference to Shor's discovery, may have been seen as 
suggesting that all computational assumptions should be jettisoned at the 
earliest opportunity — for who knew what problems might next succumb to 
the power of a quantum computer? 

A new spin on quantum cryptography. It was known (though perhaps 
not widely) that insisting on unconditional security was not the only way 
forward in order to ensure reasonable security against quantum attacks. It 
was evident that public-key signature schemes could be used to authenticate 
the classical channel in a qke protocol, and that such a system would have 
some attractive features; this idea first appeared in the literature in Ref. [2]. 
Indeed, in light of Theorem [12] and Table 2, and assuming Conjecture 1151 is 
true, this idea becomes rather more striking: 

• Quantum cryptography is the only known way to achieve (quantum- 
resistant) private communication in a public-key infrastructure with 
the minimal computational assumptions. 

(If in addition ConjectureQ3]is true, then the word "known" can be dropped.) 
In other words, with some abuse of the metaphor, quantum cryptography 
potentially allows us to throw out some of the bathwater — i.e., primitives 
with a trapdoor property — while keeping most of the baby — i.e., authenti- 
cated encryption without symmetric initial keys — and no classical scheme 
is known to accomplish this. At the very least, quantum cryptography cer- 
tainly allows us to sidestep the question of the necessity of trapdoor predi- 
cates for secret key agreement (or trapdoor functions for trapdoor predicates 
[32]). We view this as strengthening the case for signed qke. 

If public- key encryption exists... If trapdoor predicates do exist and 
are secure in the long term, we note that Advantages 1 through 4 can var- 
iously be achieved by sc-AKE-protocols to at least some degree. However, 
in this case, qke protocols may have other advantages over classical ones. 
Because the secret key s generated in a q-AKE-protocol is independent of the 
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classical communication c, there is no mathematical way to connect these 
two quantities or — attribute — the secret key to Alice's and Bob's publicly 
readable discussion; we say that the secret key is nonattributable\^ 

There are two ways in which a secret key may be considered attributable: 
it is attributable to Alice's and Bob's public discussion (through its depen- 
dence on the classical communication) and it is attributable to Alice and /or 
Bob (because they participated in the classical communication). For the 
former way, we just use the term attributable to describe the secret key; for 
the latter way, we say the secret key is party-attributable. If the classical 
communication is authenticated via a signature scheme, then the secret key 
may be party-attributable in a provable way, or provably party- attributable. 
If the secret key is subsequently used in an encryption scheme to encrypt 
a plaintext, then we say that the plaintext is (party- or provably party-) 
attributable whenever the secret key is. 

Because q-AKE-protocols do not produce an attributable secret key, a q- 
AKEp U b-protocol may be used in composition with a one-time pad encryption 
scheme, and then the secret key (and hence the plaintext) would never be 
attributable. No totally classical scheme can achieve the same thing, i.e., 
non-party-attributable, public-key, secure communication. 

For symmetric-key ciphers where the bit-length of the secret key is much 
smaller than the bit-length the message (e.g., aes), the cipher itself provides 
a subroutine for recognizing the secret key (i.e., if a candidate secret key s' 
decrypts the ciphertext to something sensible, then with high probability s' 
equals the actual secret key). If the secret key was produced by a sc-AKE pu b- 
protocol, then the secret key (and hence the plaintext) are provably party- 
attributable given the secret key; however, if the secret key was produced 
by a q-AKEp U b-protocol, it is not attributable at all. This is a potential 
advantage of using QKE to generate AES keys. 

16 In Ref. [33] . Beaver discusses "deniability" (see Refs |34[ [35 ) of QKE, which is similar 
to nonattributability. However, in that paper, it is assumed that Alice and Bob keep a 
record of their qubit-measurement outcomes (often called "raw key bits" ) made during the 
protocol and that, if Alice and Bob are to deny that a particular secret key was established, 
this record must be consistent with any measurements made by an eavesdropper, i.e., 
someone who is forcing Alice or Bob to reveal the secret key (or the plaintext encrypted 
by it). We assume that Alice and Bob do not keep such records and that it is sufficient that 
the forcer cannot provide evidence that attributes a particular secret key to the classical 
communication; any measurement on the quantum channel that the forcer made is not 
publicly verifiable, so we do not view its outcome as part of the public record. In other 
words, in our model, Alice and Bob need not provide evidence to support their (tacit) 
denial. Incidentally, Beaver concludes that the standard QKE protocols do not provide 
deniability in his model. 
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Closing Remarks. Recall the objections to QKE that we listed earlier 
(see Page [2]). We have addressed Objection 4 early on, by highlighting the 
fundamental distinction between in-band and out-of-band key establishment 
protocols. We believe there exist (or will exist) applications where in-band 
generation of entropy is desirable. 

Objections 2 and 3 both propose using (potentially very long) symmetric 
initial keys in 00B or PGE protocols. We have presented a considerable list 
of advantages that QKE has over these protocols. 

Objection 1 is the strongest one, but it relies on the computational as- 
sumption of a trapdoor predicate, which (until any lower bounds are proven) 
incurs risk when public- key encryption is used for long-term secrets. The 
field of quantum algorithms is still relatively young, so it is probably unwise 
to assume any particular candidate trapdoor predicate with a particular set 
of parameters is secure (the recent discovery of a subexponential-time quan- 
tum algorithm for elliptic curve isogenics supports this perspective [36]). 
However, in addition to these standard counter- arguments for Objection 
1, we have shown that qke may offer the benefit of nonattributability in 
scenarios where no purely classical scheme can. We also note that it is con- 
ceivable that, in the future, a q-AKE-system may be more efficient (i.e. have 
a higher secret key rate) than a sc-AKE-system, as public- key encryption 
is known to be rather slow. As well, q-AKE-systems may be more cost- 
effectively resistant to side-channel attacks, which are notoriously difficult 
to defend against in the classical world. 

The debate on the merits of qke may have suffered from a focus on 
unconditional security, which may have given the impression that it is of no 
value to practical cryptography. The message from classical cryptographers 
has been loud and clear: the pre-sharing of symmetric keys is costly and thus 
to be avoided in the majority of key-establishment applications: e.g., Pater- 
son et al. [2] wrote, "[Quantum key establishment], when unconditionally 
secure, does not solve the problem of key distribution. Rather, it exacer- 
bates it, by making the pre-establishment of symmetric keys a requirement." 
They also wrote, "It is likely that using [qke] with public key authentica- 
tion [...] has security benefits [...]. However, [qke] loses much of its appeal 
in [this setting], as the overall system security is no longer guaranteed by 
the laws of quantum physics alone." Our article is completely in accordance 
with the former comment and, with regard to the latter comment, expands 
on the "benefits" of signed qke in order to bolster its "appeal" . As such, we 
hope to have firmed up the middle ground between unconditionally-secure 
qke and computationally-secure classical key establishment in the "quan- 
tum debate" . 
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